TheSupe87 - Fotolia

News

Is consumer data privacy at risk under cybersecurity legislation?

#GRCChat participants discuss how cybersecurity legislation could hurt data privacy and what personal information protections should be included in the new rules.

Aislyn Fredsall

Published: 06 Jul 2015

New U.S. cybersecurity legislation designed to prevent future data breaches continues to be debated by U.S. legislators, and consumer privacy remains a sticking point. Bills such as the Protecting Cyber Networks Act (PCNA) propose systems for private companies to share information about cyber threats with government agencies. Opponents fear that including this type of information sharing in cybersecurity legislation will hurt privacy by helping the U.S. government collect consumer data for law enforcement or surveillance purposes.

Proposed cybersecurity bills such as PCNA continue to raise questions about what U.S. citizens are willing to give up to prevent massive data breaches that have become the norm. Most agree that there should be some sort of cybersecurity legislation, but consumer data privacy remains a major priority. In this #GRCChat recap, participants discuss how cybersecurity legislation could affect privacy and what precautions should be taken to protect consumer data.

Will data sharing policies proposed in cybersecurity legislation hurt consumer privacy? Why or why not?

Although cybersecurity legislation is meant to protect consumer privacy, some think that it would actually undermine it. Detractors of cybersecurity legislation specifically worry about the amount of consumer data that would be available to the government should proposed bills become law. #GRCChat participants acknowledged privacy is a legitimate concern, but added that data sharing stipulations may be necessary:

A3 Privacy advocates are understandably concerned about gov data sharing, and fed using info for surveillance/crime investigations #GRCchat
— Ben Cole (@BenjaminCole11) May 7, 2015

A3 Not doing anything could be worse: proposed laws are designed to prevent recent hacks of customer data at major retailers #GRCchat
— Ben Cole (@BenjaminCole11) May 7, 2015

A3 The question is does consumer privacy suffer more with or without legislation? Is legislation a necessary evil, in other words? #GRCchat
— Nicole Laskowski (@TT_Nicole) May 7, 2015

Although some #GRCchat-ters agreed that cybersecurity legislation is needed, they added that current proposed legislation is lacking from a consumer privacy standpoint:

A3 Greater #privacy protection thru some combo legislation, industry initiatives needed, but this effort fails to impress #grcchat
— knowlengr (@knowlengr) May 7, 2015

Excellent point @knowlengr , you would think with NSA controversy consumer privacy would have been more of a priority #GRCchat
— Ben Cole (@BenjaminCole11) May 7, 2015

The lack of a consumer presence wasn't the only fault found with proposed cybersecurity legislation. Participants thought that bills often demonstrated a lack of knowledge regarding technology and suggested that more experts should be consulted when creating cybersecurity legislation:

A3 Look @ Bill http://t.co/Ybyy6Cpnjx Little to help consumer #privacy - minimalist tech understanding of #bigdata #cybersecurity #grcchat
— knowlengr (@knowlengr) May 7, 2015

R @TT_Nicole Mixed bag needed: some is stds organizations eg @USNISTgov @OasisOpen @HL7 @id_eco_system +pvt citizen engagement
— knowlengr (@knowlengr) May 7, 2015

@TT_Nicole @knowlengr #grcchat Working around biases often requires a team approach w/ all biases exposed and counter-balanced.
— Forvalaka41 (@Forvalaka41) May 7, 2015

A3 Proposal seems to have little support from security "specialists" http://t.co/uF67dyBNXM Not a good leading indicator #privacy #grcchat
— knowlengr (@knowlengr) May 7, 2015

What privacy protections must be in cybersecurity legislation to ensure consumer data is not violated?

Participants discussed how some consumer data privacy sacrifices might be necessary to protect information under cybersecurity legislation, but added there is still a need for controls on what exactly the government can and cannot do with consumer data.

A5 citizens/consumers will likely have to get used to at least some public/private sector info sharing to protect cybersecurity #GRCchat
— Ben Cole (@BenjaminCole11) May 7, 2015

@Fran_S_TT #grcchat An excellent point but it seems to be an #EpicFail for the inelligence community w/ big pendulum swings back and forth.
— Forvalaka41 (@Forvalaka41) May 7, 2015

One participant stated that cybersecurity legislation still has a long way to go, especially when it comes to transparency:

A5 #Privacy measures needed are complex, beyond scope of chat, but educ'd citizen needs access,transparency,provenance,acc'blity #grcchat
— knowlengr (@knowlengr) May 7, 2015

A5 Bill calls for YA #cybersecurity technology assessment, but existing evidence / guidelines not used, esp "training" + encryption #grcchat
— knowlengr (@knowlengr) May 7, 2015

SearchCompliance site editor Ben Cole advocated for finding the right mix of government involvement and privacy protection, before pointing out the problem that innovation presents: New tech could either provide more security, or create new opportunities for data breaches.

A5 Will be very difficult, but gov has to find the right balance between U.S. cybersecurity strategy and privacy protection #GRCchat
— Ben Cole (@BenjaminCole11) May 7, 2015

. @TT_Nicole yes def could build info protection in new tech....or could create more access for hackers/securityvulnerabilities #GRCchat
— Ben Cole (@BenjaminCole11) May 7, 2015

How do you think cybersecurity legislation will affect consumer data privacy? Sound off in the comments section below.

Next Steps

Security information sharing needed, says government cybersecurity experts

Finding the line between data analytics and consumer data privacy

A look at past cybersecurity legislation with the Cybersecurity Act of 2009

Dig Deeper on Risk management and compliance

Will cybersecurity legislation's data sharing measures hurt privacy? Information sharing plays a big role in proposed cybersecurity legislation, but will the new measures hurt data privacy? Discuss with us during #GRChat May 7 at 12 p.m. EST.

Will new net neutrality regulations spur investment and innovation? The FCC gave new net neutrality regulations the go-ahead, but the battle for an open Internet is hardly over. In this #GRCChat recap, find out whether the new regulations mean good news for innovation and consumer privacy.

Wearables in the workplace strain existing GRC policies Have you considered the GRC implications of wearables in the workplace? In this #GRCChat recap, participants consider the impact of wearables on established policies and how businesses can ensure data security and privacy.

2015 might be a big year for these GRC technologies This could be a big year for GRC technologies. #GRCChat-ters predict which tools and processes will continue their upward trend in 2015 and which will wane.

Top enterprise GRC and security predictions for 2015 Can we leave the "year of the breach" title to 2014? In this #GRCChat recap, participants shared their enterprise GRC and security predictions for 2015.

GRC 2015: What do you hope to achieve this year? A new year means a fresh start. In this #GRCChat recap, participants assess their current IT challenges and share their GRC 2015 resolutions.

Aislyn Fredsall asks:

Do you think new cybersecurity legislation threatens consumer data privacy?

Join the Discussion

Join the conversation

7 comments

Send me notifications when other members comment.

Oldest

[-]

Aislyn Fredsall - 6 Jul 2015 11:17 AM

Do you think new cybersecurity legislation threatens consumer data privacy?

Veretax - 21 Dec 2015 8:47 PM

Absolutely. Any door that is opened for law enforcement or intelligence agencies on purpose, even friendly ones, is likely something that foreign enemies, crooks, and hackers could also exploit.

Sharon Fisher - 31 Aug 2015 5:55 PM

Wow, I had never thought of the angle that cybersecurity laws could actually be used to collect consumer data for the government. If you're the paranoid type, makes you wonder how many of the recent hacks our government was behind.

Veretax - 16 Dec 2015 9:37 PM

After watching the presidential debate last night, I am left wondering if our government understands that legislation that mandates keys, makes us all vulnerable. (Did not the Battlestar Galactica reboot teach us that very thing?)

mcorum - 17 Dec 2015 10:07 AM

The lack of privacy protection shows that the people promoting this legislation either do not fully understand the potential impact it will have on the privacy of those it supposedly protects or they do not care. Given their track record, it’s most likely the latter.

Ben Cole - 21 Dec 2015 3:23 PM

Privacy advocates are certainly concerned about the details of the Cybersecurity Act of 2015, which was included in the Omnibus Spending Bill when it passed last week. The cybersecurity Act portion is an updated version of the Cybersecurity information Sharing Act that has been debated for years, and encourages information sharing between the public and private sector to improve cybersecurity. Privacy advocates are concerned it will allow organizations and federal authorities to avoid privacy standards and civil liberties. They are also unhappy about the cybersecurity act was built into the Omnibus bill, where the cybersecurity portion was unlikely to be debated on its own merits.

Sharon Fisher - 26 Jan 2016 8:34 PM

Agreed. I'm very nervous about the new powers our government is accumulating.

Is consumer data privacy at risk under cybersecurity legislation?

#GRCChat participants discuss how cybersecurity legislation could hurt data privacy and what personal information protections should be included in the new rules.

Will data sharing policies proposed in cybersecurity legislation hurt consumer privacy? Why or why not?